Fortinet Critical Flaw: Let a Remote Attacker Execute Arbitrary Code

Chinese APT41 Group Attack Android Devices With WyrmSpy and DragonEgg Malware

A Chinese-based state-sponsored espionage group, APT41 targets Android devices through spyware wyrmspy and Dragon egg which masquerades as legit applications.

This group has been active since 2012 and targets both public and private sectors related to software development, hardware manufacturers, telecommunications, social media, video games, etc.

According to U.S. grand jury indictments from 2019 and 2020, the group was involved in compromising over 100 public and private organizations and individuals in the United States and around the world.

Lookout Threat Lab researchers have been actively tracking both spyware and shared their detailed analysis report.

Spyware Attack Android Devices

Initially, this malware imitates legitimate Android applications for showing notifications; once successfully installed on the user’s machine, it claims multiple device permission to enable data exfiltration.

Google confirmed that based on current detection, no apps containing this malware are found to be on Google Play.

Wyrmspy can collect log files, photos, Device location, SMS messages (read and write), and Audio recordings.

Utilizes known rooting tools to gain escalated privileges to the device and perform surveillance activities specified by commands received from its C2 servers. 

Dragon egg receives payload, often called “smallmload.jar,” from either the C2 infrastructure or a file bundled with the APK. 

This file tries to get and launch more functionality like WyrmSpy; the DragonEgg samples ask for many permissions for services that aren’t actually used in the main app. 

Dragon Egg is also able to collect data like Device contacts, SMS messages, External device storage files, Device location, Audio recording, and Camera photos once it successfully compromises the device.

Both the Dragon Egg and WyrmSpy require commands from C2 and use configuration files to decide how to respond to the compromised device and what data to extract.

Stay up-to-date with the latest Cyber Security News; follow us on GoogleNews, Linkedin, Twitter, and Facebook.

The post Chinese APT41 Group Attack Android Devices With WyrmSpy and DragonEgg Malware appeared first on Cyber Security News.

   Read More 

Cyber Security News 

Water Sigbin Hackers Exploit Oracle WebLogic Vulnerabilities

Cybersecurity researchers uncovered a sophisticated attack campaign by the Water Sigbin (aka 8220 Gang) threat actor that exploited vulnerabilities in the Oracle WebLogic Server, notably CVE-2017-3506 and CVE-2023-21839, to deploy the XMRig cryptocurrency miner on compromised systems.

The attack begins with the threat actor exploiting the WebLogic vulnerabilities to execute a malicious PowerShell script on the victim machine.

This script decodes a Base64-encoded payload, which initiates a multi-stage loading process to deliver the PureCrypter loader and the XMRig miner.

Water Sigbin employs several advanced tactics to evade detection:

All payloads are protected using .Net Reactor, a code protection software that obfuscates the code and incorporates anti-debugging measures

The malware uses fileless execution techniques, such as DLL reflective injection and process hollowing, to run the malicious code solely in memory

The XMRig miner masquerades as legitimate processes like cvtres.exe and AddinProcess.exe to avoid suspicion

“Is Your System Under Attack? Try Cynet XDR: Automated Detection & Response for Endpoints, Networks, & Users!”- Free Demo

Technical Analysis:

The attack involves multiple stages of payload decryption, decompression, and loading:

Initial PowerShell script decodes Base64 payload

Decoded payload (wireguard2-3.exe) decrypts and loads second stage DLL (Zxpus.dll) via reflective injection

Zxpus.dll retrieves encrypted binary, decrypts it using AES, decompresses with GZip, and deserializes to reveal next loader configuration

Loader creates cvtres.exe process and injects next stage payload

cvtres.exe loads PureCrypter loader DLL (Tixrgtluffu.dll)

PureCrypter registers with C2 server and downloads final XMRig miner payload.

The malware collects system information like processor ID, disk drive details, installed AV software, etc. using WMI queries. This data is encrypted and sent to the C2 server at 89.185.85[.]102:9091 for victim identification.

Attack Flow

The malware employs fileless execution techniques, using DLL reflective and process injection. This allows the malware code to run solely in memory and avoid disk-based detection mechanisms.

The payloads used during this campaign are protected using .NET Reactor, a .NET code protection software, to safeguard against reverse engineering. This protection obfuscates the code, making it difficult for defenders to understand and replicate.

Additionally, it incorporates anti-debugging techniques. The attack begins with the exploitation of CVE-2017-3506, which deploys a PowerShell script on the compromised machine.

This script decodes the first stage Base64-encoded payload and stores the decrypted response in a registry key under the subkey path HKEY_CURRENT_USERSOFTWARE<Victim ID>.

According to Trend Micro report, The malware then downloads an encrypted file named plugin3.dlland decrypts it using the TripleDES algorithm and decompresses it with Gzip.The loader creates a new process named AddinProcess.exe to impersonate a legitimate process, using process injection to load the XMRig payload into memory and start the new process.

The final payload is XMRig, a popular open-source mining software that supports multiple operating systems. It sends a mining login request to a mining pool URL “217.182.205[.]238:8080” and a wallet address “ZEPHYR2xf9vMHptpxP6VY4hHwTe94b2L5SGyp9Czg57U8DwRT3RQvDd37eyKxoFJUYJvP5ivBbiFCAMyaKWUe9aPZzuNoDXYTtj2Z.c4k”.

Indicators of Compromise

e6e69e85962a402a35cbc5b75571dab3739c0b2f3861ba5853dbd140bae4e4da
f4d11b36a844a68bf9718cf720984468583efa6664fc99966115a44b9a20aa33 – Ransom_Blocker.R002C0XFC24
0bf87b0e65713bf35c8cf54c9fa0015fa629624fd590cb4ba941cd7cdeda8050 – TROJ_FRS.VSNTFH24
b380b771c7f5c2c26750e281101873772e10c8c1a0d2a2ff0aff1912b569ab93 – TROJ_FRS.0NA104FH24
2e32c5cea00f8e4c808eae806b14585e8672385df7449d2f6575927537ce8884 – Trojan.MSIL.EXNET.VSNW11F24

[URL/IP address]
89[.]169[.]52[.]37
http://87[.]121[.]105[.]232/bin.ps1
http://79[.]110[.]49[.]232/plugin3.dll

Mitigation:

Trend Micro advises organizations to implement security best practices like regular patching, robust access controls, security assessments, and employee awareness training to defend against such threats. Specific recommendations include:

Keep systems and software updated with latest security patches

Use strong authentication methods like multi-factor authentication

Regularly scan for vulnerabilities

Educate employees on security best practices

Use endpoint detection and response solutions to detect malicious activity

By exploiting WebLogic vulnerabilities, using advanced evasion tactics, and deploying XMRig miners, the Water Sigbin threat actor has once again demonstrated its technical sophistication.

Are you from SOC/DFIR Teams? – Sign up for a free ANY.RUN account! to Analyse Advanced Malware Files

The post Water Sigbin Hackers Exploit Oracle WebLogic Vulnerabilities appeared first on Cyber Security News.

 Read More 

Kroll Experiences Data Breach After Employee Is Hacked Via SIM Swap Attack

A high-profile cyber attack targeted a prominent company, Kroll. This attack utilized a sophisticated technique known as “SIM swapping,” which allowed the threat actor to gain unauthorized access to sensitive personal information.

On Saturday, August 19, 2023, Kroll was informed about the SIM swapping attack that targeted a T-Mobile US., Inc. account belonging to a Kroll employee.

Immediate actions were taken to secure the three affected accounts, said Kroll, a cybersecurity company.

The SIM Swapping Attack

This method involves convincing a mobile carrier to transfer a victim’s phone number to a device under the attacker’s control. 

In this case, T-Mobile transferred the Kroll employee’s phone number to the attacker’s phone upon their request, giving them control over incoming calls and messages.

From January 2018 to December 2020, the FBI Internet Crime Complaint Center (IC3) received 320 complaints about SIM swapping incidents with adjusted losses of approximately $12 million. 

In 2021, IC3 received 1,611 SIM swapping complaints with more than $68 million in adjusted losses.

Access to Sensitive Information

As a result of the SIM swapping attack, the threat actor gained access to certain files containing the personal information of individuals involved in bankruptcy claims related to BlockFi, FTX, and Genesis. 

This breach of confidential data poses serious concerns for affected individuals, as their personal information could be misused for fraudulent activities or identity theft.

Upon discovering the attack, immediate actions were taken to secure the affected accounts of BlockFi, FTX, and Genesis. 

Affected individuals were promptly notified via email to ensure they were aware of the breach and could take necessary precautions.

Kroll also stressed its cooperation with the FBI to conduct a thorough investigation into the incident, aiming to bring the responsible parties to justice.

Preventative Measures and Vigilance

Kroll’s response to the incident highlights the importance of cybersecurity practices and the need for constant vigilance against such threats. 

The company has provided a list of actions it will never ask or require individuals to undertake in connection with bankruptcy claims or asset distribution. 

This includes not linking a cryptocurrency wallet to a website or application, not sharing seed phrases or private keys, avoiding downloads of unfamiliar software or wallet applications, refraining from providing passwords via email, text, or phone, and not sharing personal identifying information through insecure channels.

While the investigation is ongoing, this incident serves as a cautionary tale for individuals and businesses alike, highlighting the critical role of proactive security practices, employee education, and partnerships with law enforcement agencies.

It is a reminder to use strong multi-factor authentication methods such as biometrics, physical security tokens, or standalone authentication applications to access online accounts.

Keep informed about the latest Cyber Security News by following us on Google News, Linkedin, Twitter, and Facebook.

The post Kroll Experiences Data Breach After Employee Is Hacked Via SIM Swap Attack appeared first on Cyber Security News.

   Read More 

Cyber Security News